Configuration:

Non-existent FQDNs were receiving "No Such Name" responses from the DNS server and were being incorrectly routed to the L4 rule instead of the L7 rule.

DNS queries are being processed by the L4 rule (rule ID: 1015), bypassing the intended L7 rule (rule ID: 1014), despite the DNS context profile rule being placed above the L4 rule.

VMware NSX 4.x

The APP_ID key was not added during the classification process, which causes the DNS traffic to bypass the L7 rule and fall back to the L4 rule.

Broadcom is working on the fix and it will be available in a future release.